You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2018/02/26 14:59:32 UTC
Re: [OT] Running as user tomcat [authbind]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Coty and André,
On 2/23/18 6:58 PM, Coty Sutherland wrote:
> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
> I've been planning to push a solution for that, just haven't gotten
> around to it yet.
>
> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
> <aw...@ice-sa.com> wrote:
>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>
>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>
>>>> Hi Chris,
>>>>
>>>>
>>>>
>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>> <cc...@philasd.org>:
>>>>>
>>>>> Hello All,
>>>>>
>>>>> I am trying to run tomcat as a non root user.
>>>>>
>>>>> It will start as the tomcat user but it will not bind to
>>>>> connector 443 unless it starts as root.
>>>>>
>>>>> Does anyone know why?
>>>>
>>>>
>>>> Unix will not let you open ports below 1024 as non-root
>>>> user!
>>>>
>>>> You may use a proxy in front of it or maybe use iptables to
>>>> be able to use standard ports AND user tomcat.
>>>
>>>
>>> See also :
>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>
>>
>> Or if you are running under Linux, check :
>> https://en.wikipedia.org/wiki/Authbind
I'm curious ... can authbind be used to *restrict* processes as well
as to grant them access? For example, let's say that I want Tomcat to
be able to bind to port 8080, it generally will be able to do that
unless some other process has bound already. But let's say I
specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
use authbind to set a blacklist of ports, too? Or, can I blacklist
everything and set up a whitelist that contains only port 8080?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
2JHYqvyhsydWUPEFcoRO+9I888Q=
=2rU6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Hi.
On 26.02.2018 15:59, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty and André,
>
> On 2/23/18 6:58 PM, Coty Sutherland wrote:
>> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
>> I've been planning to push a solution for that, just haven't gotten
>> around to it yet.
>>
>> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
>> <aw...@ice-sa.com> wrote:
>>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>>
>>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>>
>>>>>
>>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>>> <cc...@philasd.org>:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am trying to run tomcat as a non root user.
>>>>>>
>>>>>> It will start as the tomcat user but it will not bind to
>>>>>> connector 443 unless it starts as root.
>>>>>>
>>>>>> Does anyone know why?
>>>>>
>>>>>
>>>>> Unix will not let you open ports below 1024 as non-root
>>>>> user!
>>>>>
>>>>> You may use a proxy in front of it or maybe use iptables to
>>>>> be able to use standard ports AND user tomcat.
>>>>
>>>>
>>>> See also :
>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>>
>>>
>>> Or if you are running under Linux, check :
>>> https://en.wikipedia.org/wiki/Authbind
>
> I'm curious ... can authbind be used to *restrict* processes as well
> as to grant them access? For example, let's say that I want Tomcat to
> be able to bind to port 8080, it generally will be able to do that
> unless some other process has bound already. But let's say I
> specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
> use authbind to set a blacklist of ports, too? Or, can I blacklist
> everything and set up a whitelist that contains only port 8080?
>
I don't really know the specifics of authbind, just that recent Debian Linux versions seem
to automatically use it to run their pre-packaged Tomcat (I believe that previously, they
used jsvc).
There is information available here :
https://manpages.debian.org/testing/authbind/authbind.1.en.html
which seems to indicate that indeed it seems to allow the kind of things which you mention
above.
Should you not have access to a Linux Debain/Ubuntu system right now, I can also send you
a sample /etc/init.d startup script for Tomcat (using authbind) (but presumably directly,
as the list does not really like attachments)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Running as user tomcat [authbind]
Posted by Coty Sutherland <cs...@apache.org>.
On Mon, Feb 26, 2018 at 9:59 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty and André,
>
> On 2/23/18 6:58 PM, Coty Sutherland wrote:
>> Also see https://bz.apache.org/bugzilla/show_bug.cgi?id=60560 :)
>> I've been planning to push a solution for that, just haven't gotten
>> around to it yet.
>>
>> On Fri, Feb 23, 2018 at 5:34 PM, André Warnier (tomcat)
>> <aw...@ice-sa.com> wrote:
>>> On 23.02.2018 23:32, André Warnier (tomcat) wrote:
>>>>
>>>> On 23.02.2018 18:52, Peter@Kreuser-Online wrote:
>>>>>
>>>>> Hi Chris,
>>>>>
>>>>>
>>>>>
>>>>>> Am 23.02.2018 um 18:36 schrieb Cheltenham, Chris
>>>>>> <cc...@philasd.org>:
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>> I am trying to run tomcat as a non root user.
>>>>>>
>>>>>> It will start as the tomcat user but it will not bind to
>>>>>> connector 443 unless it starts as root.
>>>>>>
>>>>>> Does anyone know why?
>>>>>
>>>>>
>>>>> Unix will not let you open ports below 1024 as non-root
>>>>> user!
>>>>>
>>>>> You may use a proxy in front of it or maybe use iptables to
>>>>> be able to use standard ports AND user tomcat.
>>>>
>>>>
>>>> See also :
>>>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>>>
>>>
>>> Or if you are running under Linux, check :
>>> https://en.wikipedia.org/wiki/Authbind
>
> I'm curious ... can authbind be used to *restrict* processes as well
> as to grant them access? For example, let's say that I want Tomcat to
> be able to bind to port 8080, it generally will be able to do that
> unless some other process has bound already. But let's say I
> specifically DO NOT want Tomcat to be able to bind to port 8443. Can I
> use authbind to set a blacklist of ports, too? Or, can I blacklist
> everything and set up a whitelist that contains only port 8080?
I'm not sure about authbind, but selinux is effectively a whitelist
which only includes a handful of ports (in http_port_t)...assuming
that it's enabled.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqUINQdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhYvw//eQnox1raRYjATtfC
> 7Wn2ddcQ+I7jMChOfT81W1AABazC865OAAhgHDOB/rd6JXZMIQAPDizCPz4mXmNn
> lPuH0s2UWyBPPo6WwKFhim7/Z33A8WAFSrJoor2vwyfC+p6F9iOOkC1CK0QB2mkU
> KuK3CqcsVHkeRxDOc6qTaX0KQG9FnnrMD/whmdml2mEOHOesT5/ZwPUwwgtLH8Di
> ljbstzWAbV3/3Nbb2aPbvpZCJpyBmYWAoIUjzzYVv5J+pLB2EL+6Pf2znBltUiO9
> cEmC5ybC22cLuS/w5KCKHtP+qFecYFjhQux+uNrCQPPCi0IXE9DaxwU5qYp7FXae
> q8qhH+4KRhO7kOOBqyMaVVMXXR0+Xdo52aEyCqv2go1uO0Ebp4TiPQq3iC4mUW+8
> FrMK6MsgtnQzJXuk9RvtPpBQ/6q36WJ91lQ0FnjFZA1JS49Y9PDT52FoTz6g3TUD
> R1I996R798zSCowDTwaZLfd4xsBzqzI2RcU6rMWbGGhlM5pu2TSd0AzM6vet7iHw
> m1+6iN5NbQE/u+dU9x7zuRHpn2hQBLf6+r4DZyiZrm/Y58FgpnO8g5i35jiwttuv
> 7NuGU0AYX2/gYEiVPpPwwbs19o6DOhp3dHoTy/Em78DqgP6pv22vlxnMZ9TCS4Fz
> 2JHYqvyhsydWUPEFcoRO+9I888Q=
> =2rU6
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org